A new investigation has uncovered the highly sensitive health information of thousands of people, including audio and video of therapy sessions, exposed on the internet. The cache of information, linked to a US healthcare company, contained more than 120,000 files and over 1.7 million activity logs.
In late August, security researcher Jeremiah Fowler discovered a large amount of information leaking from an insecure database linked to virtual medical services provider Confidant Health, which operates in five states including Connecticut, Florida and Texas and offers services such as alcoholism, drug addiction recovery and mental health treatment.
The 5.3 terabytes of leaked data included highly personal details that went beyond patients’ private therapy sessions. The files Fowler saw included multi-page reports, including psychiatric hospitalization records and detailed medical histories. “Some of the documents had the words ‘sensitive health data’ written at the bottom,” Fowler says.
For example, seven pages of the psychiatric reception file, apparently based on an hour-long session with a patient, detailed issues with alcohol and other drugs, with the patient claiming to have taken a “small amount” of drugs from his grandparents’ hospice before a family member died. Another document described a “discordant” relationship between her husband and son, including how the son had accused his partner of sexual abuse while using stimulants.
The exposed health documents include medical records about people’s appearance, mood, memory, medications they take, and overall mental state. One spreadsheet seen by the researchers appears to list Confidant Health members, the number of doctor visits they’ve had, and the types of visits they’ve had.
“It’s heartbreaking, it’s really difficult family trauma, it’s really difficult personal trauma,” Fowler said, adding that the files also included audio and video of patient visits. “It’s like the exposure of your deepest, darkest secrets that you wrote in your diary, things that you never want to reveal.”
In addition to medical files, the exposed database also contained administrative and verification documents, including copies of driver’s licenses, identification cards and insurance cards, Fowler said. The logs also included references to AI responses to prompts and questions, indicating some of the data was collected by chatbots and artificial intelligence.
Fowler said Confidant Health immediately cut off access to the leaked database after he contacted them. Alert companies to leaked data, don’t download it The researcher said some of the 120,000 leaked files had some sort of password protection. Fowler said he reviewed about 1,000 files to verify the leak, identify the source of the data and alert the company. It’s unusual for an exposed database to contain both locked and unlocked files, he said.
In a statement to WIRED, Confidant Health co-founder John Reed said the company takes security concerns seriously and “disputes the sensationalism” of the findings. Reed said that after the company was notified of the “improper configuration,” access to the leaked files was “fixed within the hour.”
